[go: up one dir, main page]

US20130073271A1 - Static fault tree analysis system and method from system models - Google Patents

Static fault tree analysis system and method from system models Download PDF

Info

Publication number
US20130073271A1
US20130073271A1 US13/699,359 US201113699359A US2013073271A1 US 20130073271 A1 US20130073271 A1 US 20130073271A1 US 201113699359 A US201113699359 A US 201113699359A US 2013073271 A1 US2013073271 A1 US 2013073271A1
Authority
US
United States
Prior art keywords
fault
models
events
component error
fault tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/699,359
Inventor
Jianwen Xiang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Assigned to NEC CORPORATION reassignment NEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: XIANG, JIANWEN
Publication of US20130073271A1 publication Critical patent/US20130073271A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/079Root cause analysis, i.e. error or fault diagnosis
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0218Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
    • G05B23/0243Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
    • G05B23/0245Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model based on a qualitative model, e.g. rule based; if-then decisions
    • G05B23/0248Causal models, e.g. fault tree; digraphs; qualitative physics
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/30Circuit design
    • G06F30/32Circuit design at the digital level
    • G06F30/33Design verification, e.g. functional simulation or model checking
    • G06F30/3323Design verification, e.g. functional simulation or model checking using formal methods, e.g. equivalence checking or property checking

Definitions

  • the present invention is concerned with methods and systems for automatic system reliability analysis from system configurations, especially with the methods and systems for qualitative reliability analysis of computer systems with static fault tree analysis (FTA) and system models.
  • FTA static fault tree analysis
  • FTA fault tree analysis
  • NON-PTL 1 J. B. Dugan, S. J. Bavuso, and M. A. Boyd, Dynamic Fault-Tree Models for Fault Tolerant Computer Systems, IEEE Trans. on Reliability, Vol. 41, No. 3, 1992, pp. 363-377.
  • the first problem is that in the above-described technologies, manual development of fault trees is difficult and error-prone, especially in the case of large and complex system analysis.
  • the second problem is that functional and sequential dependencies between events of components are usually modeled with some dynamic gates, which may introduce potential semantic troubles and require extra cost for the system administration and maintenance at runtime.
  • the present invention has been accomplished in consideration of the above-mentioned problems, and an objective of the present invention is to provide a system and a method for automatically developing and analyzing fault trees from system models.
  • Another objective of the present invention is to present a model to define functional and sequential dependencies between events with standard static logic gates.
  • the present invention for solving the above-mentioned problems is a system for static fault tree analysis from system models which includes a system configuration input means that inputs system configurations and top events of the system to be analyzed, a system model library means that stores a set of system architecture models and component error models, and a fault tree analysis means that analyzes fault trees of the system from the aforementioned top event in terms of decomposition rules defined in the aforementioned component error models, wherein the aforementioned system configurations and the aforementioned top events are instances of the system architecture models and the fault events of the component error models stored in the aforementioned system model library means, respectively, the aforementioned system architecture models delimit classification of and definitions of physical and semantic relations between different components, and the aforementioned component error models define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis.
  • the present invention for solving the above-mentioned problems is a method for static fault tree analysis from system models which includes a step of storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis, a step of selecting top events of the system to be analyzed, and a step of analyzing fault trees from the aforementioned top events in terms of decomposition rules defined in the aforementioned component error models.
  • the present invention for solving the above-mentioned problems is a program for causing a computer to analyze static fault trees from system models, which causes the computer to execute a process of storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis, and a process of analyzing fault trees from the selected top events in terms of decomposition rules defined in the aforementioned component error models.
  • the present invention makes it possible to automatically develop the fault trees of the system from the instances of the system architecture models and the top events with regard to the component error models.
  • FIG. 1 is a block diagram illustrating a configuration of the first implementation mode of the present invention.
  • FIG. 2 is a flowchart illustrating an operation of the first implementation mode.
  • FIG. 3 is a block diagram illustrating configurations of the second implementation mode and the third implementation mode of the present invention.
  • FIG. 4 is a flowchart illustrating an operation of the second implementation mode.
  • FIG. 5 is a flowchart illustrating an operation of the third implementation mode.
  • FIG. 6 is a view illustrating a specific example of an operation of the first implementation mode.
  • FIG. 7 is a view illustrating an example of the system architecture model (UML view).
  • FIG. 8 is a view illustrating an example of a network server architecture model (Maude specification).
  • FIG. 9 is a view illustrating an example of the component error model (Maude specification).
  • FIG. 10 is a view illustrating an example of a MCS calculation rule (Maude specification).
  • FIG. 11 is a view illustrating an example of the system configuration input (Maude specification).
  • FIG. 12 is a view illustrating MCS outputs with regard to the input of FIG. 11 .
  • FIG. 13 is a view illustrating an example of a conversion from a PAND gate to an AND gate.
  • FIG. 14 is an explanatory view of a processing procedure that is performed by a reliability analysis support device of the patent literature 3.
  • FIG. 15 is a detailed explanatory view of an FT view preparation step of the patent literature 3.
  • the static fault tree analysis (FTA) system from the system models of the present invention includes a system configuration input means, a system model library means, and a fault tree analysis (FTA) means.
  • the system configuration input means is used to input the (physical and semantic) configuration of the system to be analyzed.
  • the input configuration follows the definitions of system architecture models defined in the system model library means below.
  • the system model library means is used to save a set of system architecture models and component error models, and a set of minimal cut set calculation rules of the fault trees.
  • the system architecture models include classification of and relations between components, in which the relations include potential physical connections and compositions, and semantic requirements such as functional dependencies between the components.
  • the component error models include definitions of different fault and conditional events of components, in which both functional dependency between components and sequential dependency between fault events are covered.
  • the axioms of the component error models play the role as decomposition rules for fault tree construction (analysis).
  • MCS minimal cut set
  • the fault tree analysis (FTA) means is used to generate and analyze the fault trees of the inputted system configurations in terms of the aforementioned fault tree decomposition and MCS calculation rules defined in the system model library means.
  • the first implementation mode of the present invention includes a system configuration input means 110 , a system model library means 120 , and a fault tree analysis (FTA) means 130 .
  • FFA fault tree analysis
  • the system model library means 120 further includes a system architecture model means 121 and a component error model means 122 .
  • the system configuration input means 110 inputs the system configuration and the top event of the system to be analyzed.
  • the system configuration must follow the definitions of the system architecture models defined in the system architecture model means 121 to be later described.
  • the system model library means 120 stores a set of system models for fault tree analysis (FTA).
  • FTA fault tree analysis
  • the system models can be further classified into two groups, namely system architecture models and component error models.
  • the system architecture model means 121 stores a set of system architecture models specifying the classification and properties of components.
  • the properties are denoted by functions representing compositions of components, and potential physical connections and semantic (functional) relations between components.
  • the component error model means 122 stores a set of component error model specifying different component fault and conditional events and their logic relations.
  • the axioms defined in the component error models play the role as fault tree decomposition rules.
  • the fault tree analysis (FTA) means 130 decomposes events from the aforementioned top events in terms of the aforementioned input system configurations and fault tree decomposition rules. That is, the fault tree analysis (FTA) means 130 analyzes the fault trees.
  • the system configuration is input by the aforementioned system configuration input means 110 (Step A 1 ).
  • the user inputs (selects) a top fault event of the system to be analyzed (Step A 2 ).
  • the top event is decomposed into some sub events by the fault tree analysis (FTA) means 130 in terms of some decomposition rule defined in the component error model means 122 (Step A 3 ).
  • FFA fault tree analysis
  • Step A 3 Redo the decomposition (Step A 3 ) for the sub events until there is no decomposition rule available for the decomposed sub events, i.e., they become basic events which are not further decomposable.
  • This implementation mode includes repeated decomposition of events in terms of the decomposition rules defined in the component error model means 122 , and thus the fault trees of the input top events can be automatically generated.
  • the second implementation mode of the present invention is an extension of the first implementation mode, in which the aforementioned system model library means 120 further includes a MCS calculation means 123 that stores a set of calculation rules used for the calculation of MCS of the fault trees.
  • the fault tree analysis (FTA) means 130 of the second implementation mode is also used for the calculation of MCS in addition to the decomposition of events as mentioned in the first implementation mode.
  • the steps B 1 to B 3 are the same as the steps A 1 to A 3 of the first implementation mode, respectively.
  • the sub events are then transformed into a Disjunctive Normal Form (DNF) in which the redundant conjunctions of events are also removed with the calculation rules defined in the MCS calculation means 123 (Step B 4 ).
  • DNF Disjunctive Normal Form
  • Step B 4 For any event of the DNF, redo Step B 3 and B 4 until it becomes a basic event (i.e., indecomposable).
  • the final DNF is output as the MCS of the fault tree.
  • This implementation mode includes repeated decomposition of events and calculation of MCS, which can remove redundant nodes of the fault tree in a timely fashion, and thus the MCS of the fault tree could be calculated in an efficient way.
  • the calculation of MCS is carried out after each decomposition of event, the complete original fault tree without any calculation of MCS cannot be outputted in this implementation mode.
  • the third implementation mode of the present invention includes the means of the second implementation mode; however, the difference with the second implementation mode is that the third implementation mode consists of a different processing flow in terms of the event decomposition and MCS calculation steps mentioned below.
  • This implementation mode also includes decomposition of events (Step C 3 ) and calculation of MCS (Step C 4 ), but the reduction is carried out only once after all the events become basic events (indecomposable) through repeated decomposition. Therefore, the complete original fault tree without any reduction and the minimal cut sets of the fault tree could both be output (Step C 5 ).
  • the third implementation mode may spend more time for the calculation of MCS since no timely reduction has been carried out after each decomposition.
  • the benefit of the third implementation mode is that the complete decomposition information is kept, and thus the original fault tree without any reduction can be output.
  • the first effect is that, given a configuration of a system, and a top undesired event of the system, the fault tree of the top event as well as the minimal cut sets of the fault tree can be automatically generated.
  • the reason is that the input system configuration follows the definitions of system architecture models, and thus the fault tree and MCS can be developed and calculated in terms of the fault tree decomposition and MCS calculation rules defined in the system model library means, respectively.
  • the second effect is that the functional and sequential dependencies between components can be modeled with standard static logic gates rather than traditional dynamic gates.
  • the reason is that by classifying internal and external fault events of a component, the functional dependency between different components can be represented with standard OR-gate; and by introducing extra dependent conditional event, the sequential dependency between component fault events can be handled with standard AND-gate.
  • FIG. 6 One high dependable network configuration is shown in FIG. 6 .
  • a configuration of the system will be explained.
  • the system consists of two servers, s 1 and s 2 , and s 1 is the primary (active) one, while s 2 is a spare to be activated when s 1 fails.
  • Each server has two network cards, and respective network cards are cards of c 11 (primary) and c 12 (spare) of the primary s 1 , and cards of c 21 (primary) and c 22 (spare) of the stand-by s 2 .
  • hubs h 1 and h 2 There are two hubs h 1 and h 2 , and two hubs are connected with the network cards c 11 , c 12 , c 21 and c 22 with wired cables b 11 (between c 11 and h 1 ), b 12 (between c 12 and h 2 ), b 21 (between c 21 and h 1 ), and b 22 (between c 22 and h 2 ).
  • FIG. 7 An example system architecture model denoted in a UML form is presented in FIG. 7 .
  • This system architecture models are supposed to be saved in the system architecture model means 121 , and they can be represented in different forms for one implementation mode.
  • the UML graphical form of FIG. 7 is just one of the candidates for readability. Some annotations of FIG. 7 are as follows.
  • a component could be a composite component, hardware, or software.
  • a hardware component could be a bus, memory, processor, or device, and it could be served as a necessary or spare component.
  • a primary component is a necessary component which has at least one spare component.
  • a composite hardware is both a composite component and a hardware component.
  • a composite hardware consists of one or several (sub) hardware components, and generally speaking, its functionality depends on that all of its necessary sub components work well, i.e., not down (the definition of the fault event down will be discussed later in FIG. 9 ). Therefore, as shown in FIG. 7 , the relation “depAll” actually represents a kind of vertical functional dependency between composite and sub hardware components, and it is a sub relation of the physical composition relation “consists”.
  • a hardware component may connect to zero or several buses, and generally speaking, it requires any of the (connected) buses to be accessible, not disabled. Therefore, as shown in FIG. 7 , the relation “reqAny” actually represents a kind of horizontal functional dependency between hardware and buses, and it is a sub relation of the physical connection relation “connects”.
  • a primary may have one or several spares, and a spare may support one or several primaries at the same time. Note that however, a spare can only replaces at most one primary (i.e., the first failed primary) at any time.
  • the relation of replaces can be used to represent sequential fault events of two primaries which are supported by the same one spare. For instance, assume that there are two primary components, P 1 and P 2 which share the same one spare S, and a top event is defined as that P 2 fails before the failure of P 1 (which means that when P 1 fails, the system consisting of P 1 and S will fail since the spare S cannot be activated for P 1 ).
  • the conditional event replaces S, P 2
  • the above sequential dependency between the faults of P 1 and P 2 can be denoted by a standard static AND gate rather than a traditional PAND gate as shown in FIG. 13 .
  • FIG. 8 presents an example formal architecture model of network servers written with Maude, a formal specification and programming language. Some annotations of FIG. 8 are as follows (the line numbers are added for readability).
  • FIG. 9 An example component error model written with Maude is presented in FIG. 9 , which is supposed to be stored in the aforementioned component error model means 122 .
  • the equations defined in FIG. 9 play the role as decomposition rules for the fault tree development.
  • “failed” described in line 2 is the (primary) internal failure of a component, such as broken.
  • “disabled” described in line 3 is the (secondary) external fault of a component which is typically caused by the faults of other functional depended components, for instance, a memory may be disabled by a bus since the memory requires the bus for accessible.
  • equations defining the semantics of functionless i.e., equations defining that a composite component is functionless if and only if any of its depended sub necessary components is down (provided an assumption is made that any composite component must connect to other adjacent component through some of its subcomponents), and a non-composite component is functionless if and only if itself is failed or it is disabled are described.
  • These two axioms represent the vertical and horizontal functional dependencies, respectively.
  • the logic representation of the example configuration consists of two main parts.
  • One is the constant definitions of components, i.e., names and types of component instances which are denoted in lines 4 to 11 .
  • the constant definition of line 4 states that “sys” is an instance of composite component i.e., the example network system.
  • the second is the relations between these components, which are denoted by the equations in lines 12 to 26 .
  • the equation of line 12 states that the example network system, “sys”, depends on the primary server s 1 .
  • the first decomposition of the top event gets one sub event of “functionless(sys)” by applying the decomposition rule shown in line 13 of FIG. 9 , since the instance “sys” is not a primary component, i.e. the example network system does not have any spare (corresponding to Step A 3 of FIG. 2 ).
  • the sub event could be further decomposed by applying the decomposition rule shown in line 9 of FIG. 9 , and get a sub event “anyDown(s 1 )” based on the configuration equations shown in lines 4 and 11 of FIG. 11 , i.e. “sys” is a composite hardware component and it depends on the server s 1 (corresponding to the repeated execution of Step A 3 of FIG. 2 ).
  • Step B 4 of FIG. 4 or Step C 4 of FIG. 5 the final MCS of the fault tree with the top event is presented in FIG. 12 (corresponding to Steps B 5 and C 5 of FIGS. 4 and 5 , respectively).
  • each unit was configured with hardware in the above-described implementation modes and example, it may be configured with a program and a CPU that perform an operation similar to that of each unit.
  • a system for static fault tree analysis from system models comprising:
  • a system configuration input means that inputs system configurations and top events of the systems to be analyzed
  • a system model library means that stores a set of system architecture models and component error models
  • a fault tree analysis means that analyzes fault trees of the system from said top events in terms of decomposition rules defined in said component error models:
  • system configurations and top events are instances of the system architecture models and the fault events of the component error models stored in said system model library means, respectively;
  • system architecture models delimit classification of and definitions of physical and semantic relations between different components
  • component error models define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis.
  • decomposition rules which cover both functional and sequential dependencies for fault tree analysis
  • decomposition rules which cover both functional and sequential dependencies for fault tree analysis
  • the present invention can be used to analyze system reliability with fault trees from system configurations automatically, with the implementation of the aforementioned system model library means defining system architecture models, component error models, and MCS calculation rules, and the aforementioned fault tree analysis (FTA) means for generating fault trees and calculating MCS in terms of the decomposition and reduction rules defined in the aforementioned system model library means, respectively.
  • FFA fault tree analysis
  • FTA fault tree analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)

Abstract

The present invention is a system for static fault tree analysis from system models comprising: system configuration input unit that inputs system configurations and top events of the systems to be analyzed; system model library that stores a set of system architecture models and component error models; and fault tree analyzer that analyzes fault trees of the system from the top events in terms of decomposition rules defined in the component error models. The system configurations and top events are instances of the system architecture models and the fault events of the component error models stored in the system model library, respectively. The system architecture models delimit classification of and definitions of physical and semantic relations between different components. The component error models define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis.

Description

    TECHNICAL FIELD
  • The present invention is concerned with methods and systems for automatic system reliability analysis from system configurations, especially with the methods and systems for qualitative reliability analysis of computer systems with static fault tree analysis (FTA) and system models.
    • BACKGROUND ART
  • An example of the related fault tree analysis (FTA) is presented in non-patent literature 1. Such a traditional FTA typically uses dynamic logic gates, such as FDEP (Functional Dependency) and PAND (Priority AND), to model functional and sequential dependencies between different events.
  • However, such dynamic fault trees typically require extra cost for system administration and maintenance, since sequential rather than combinational information (i.e., history rather than combinations of occurrences of events) are needed to analyze the fault tree states at runtime, which could be a key problem in analysis of large and complex systems. In addition, the dynamic fault trees are typically drawn by hand, and thus, no systematic and automatic method or model has been proposed to help engineers develop fault trees in an efficient and correct way.
  • Some other examples of semi-automatic system fault tree analysis with FTA in regard to specific domains and systems have been presented in patent literatures 1, 2, and 3. For instance, as shown in FIGS. 14 and 15, such a previous system presented in the patent literature 3 uses the layout (three dimension CAD data) of the nuclear power plant as the input, and uses a FT figure DB means to save registered fault trees of some specific devices. Given a particular top event of device, if its fault tree already exists in the aforementioned FT figure DB means, then a fault tree could be generated for the top event; otherwise manual revision is needed. A common problem of these previous systems and methods (e.g., the patent literatures 1, 2, and 3) is that, there is no formal parameterized system architecture and component error (fault) models for the fully automatic development of fault trees, and thus they are typically limited to specific domains and systems.
  • In addition, these inventions, in which sequential dependency between different events are generally omitted, only focus on traditional simple static logic relations such as AND and OR.
    • CITATION LIST Patent Literature
  • PTL 1: JAPANESE Patent No. 2853215
  • PTL 2: JP-P1995-200534A
  • PTL 3: JP-P2003-149377A
    • Non-Patent Literature
  • NON-PTL 1: J. B. Dugan, S. J. Bavuso, and M. A. Boyd, Dynamic Fault-Tree Models for Fault Tolerant Computer Systems, IEEE Trans. on Reliability, Vol. 41, No. 3, 1992, pp. 363-377.
    • SUMMARY OF INVENTION Technical Problem
  • The first problem is that in the above-described technologies, manual development of fault trees is difficult and error-prone, especially in the case of large and complex system analysis.
  • The reason is that most of FTA tools that are currently used do not consider how to develop some formal system architecture and component error models for the automatic development of fault trees, especially in the case of fault tolerant computer systems. Rather, they mainly focus on how to calculate the minimal cut sets (MCS: smallest combinations of basic events which will result in the top events) and failures rates of given fault trees which are assumed to be developed by the engineers by hand in the first place.
  • The second problem is that functional and sequential dependencies between events of components are usually modeled with some dynamic gates, which may introduce potential semantic troubles and require extra cost for the system administration and maintenance at runtime.
  • The reason is that the formal semantics of some dynamic gates have not been well defined, and the analysis of dynamic fault tree states requires history (sequential) information, which may cause trouble and increase cost in the analysis of large scale systems.
  • Thereupon, the present invention has been accomplished in consideration of the above-mentioned problems, and an objective of the present invention is to provide a system and a method for automatically developing and analyzing fault trees from system models.
  • Another objective of the present invention is to present a model to define functional and sequential dependencies between events with standard static logic gates.
    • Means for Solving Problem
  • The present invention for solving the above-mentioned problems is a system for static fault tree analysis from system models which includes a system configuration input means that inputs system configurations and top events of the system to be analyzed, a system model library means that stores a set of system architecture models and component error models, and a fault tree analysis means that analyzes fault trees of the system from the aforementioned top event in terms of decomposition rules defined in the aforementioned component error models, wherein the aforementioned system configurations and the aforementioned top events are instances of the system architecture models and the fault events of the component error models stored in the aforementioned system model library means, respectively, the aforementioned system architecture models delimit classification of and definitions of physical and semantic relations between different components, and the aforementioned component error models define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis.
  • The present invention for solving the above-mentioned problems is a method for static fault tree analysis from system models which includes a step of storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis, a step of selecting top events of the system to be analyzed, and a step of analyzing fault trees from the aforementioned top events in terms of decomposition rules defined in the aforementioned component error models.
  • The present invention for solving the above-mentioned problems is a program for causing a computer to analyze static fault trees from system models, which causes the computer to execute a process of storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis, and a process of analyzing fault trees from the selected top events in terms of decomposition rules defined in the aforementioned component error models.
    • Advantageous Effect of Invention
  • The present invention makes it possible to automatically develop the fault trees of the system from the instances of the system architecture models and the top events with regard to the component error models.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 is a block diagram illustrating a configuration of the first implementation mode of the present invention.
  • FIG. 2 is a flowchart illustrating an operation of the first implementation mode.
  • FIG. 3 is a block diagram illustrating configurations of the second implementation mode and the third implementation mode of the present invention.
  • FIG. 4 is a flowchart illustrating an operation of the second implementation mode.
  • FIG. 5 is a flowchart illustrating an operation of the third implementation mode.
  • FIG. 6 is a view illustrating a specific example of an operation of the first implementation mode.
  • FIG. 7 is a view illustrating an example of the system architecture model (UML view).
  • FIG. 8 is a view illustrating an example of a network server architecture model (Maude specification).
  • FIG. 9 is a view illustrating an example of the component error model (Maude specification).
  • FIG. 10 is a view illustrating an example of a MCS calculation rule (Maude specification).
  • FIG. 11 is a view illustrating an example of the system configuration input (Maude specification).
  • FIG. 12 is a view illustrating MCS outputs with regard to the input of FIG. 11.
  • FIG. 13 is a view illustrating an example of a conversion from a PAND gate to an AND gate.
  • FIG. 14 is an explanatory view of a processing procedure that is performed by a reliability analysis support device of the patent literature 3.
  • FIG. 15 is a detailed explanatory view of an FT view preparation step of the patent literature 3.
    •  DESCRIPTION OF EMBODIMENTS
  • An outline of the present invention will be explained.
  • The static fault tree analysis (FTA) system from the system models of the present invention includes a system configuration input means, a system model library means, and a fault tree analysis (FTA) means.
  • The system configuration input means is used to input the (physical and semantic) configuration of the system to be analyzed. The input configuration follows the definitions of system architecture models defined in the system model library means below.
  • The system model library means is used to save a set of system architecture models and component error models, and a set of minimal cut set calculation rules of the fault trees.
  • The system architecture models include classification of and relations between components, in which the relations include potential physical connections and compositions, and semantic requirements such as functional dependencies between the components.
  • The component error models include definitions of different fault and conditional events of components, in which both functional dependency between components and sequential dependency between fault events are covered. The axioms of the component error models play the role as decomposition rules for fault tree construction (analysis).
  • In addition, the minimal cut set (MCS) calculation rules are used to calculate the minimal cut sets of the analyzed fault trees.
  • The fault tree analysis (FTA) means is used to generate and analyze the fault trees of the inputted system configurations in terms of the aforementioned fault tree decomposition and MCS calculation rules defined in the system model library means.
  • Hereinafter, the implementation modes of the present invention will be further explained in details.
  • The first implementation mode of the present invention will be explained in details by referring to the accompanied drawings.
  • Referring to FIG. 1, the first implementation mode of the present invention includes a system configuration input means 110, a system model library means 120, and a fault tree analysis (FTA) means 130.
  • The system model library means 120 further includes a system architecture model means 121 and a component error model means 122.
  • Operations of these means are summarized as follows, respectively.
  • The system configuration input means 110 inputs the system configuration and the top event of the system to be analyzed. The system configuration must follow the definitions of the system architecture models defined in the system architecture model means 121 to be later described.
  • The system model library means 120 stores a set of system models for fault tree analysis (FTA). The system models can be further classified into two groups, namely system architecture models and component error models.
  • The system architecture model means 121 stores a set of system architecture models specifying the classification and properties of components. In this means, the properties are denoted by functions representing compositions of components, and potential physical connections and semantic (functional) relations between components.
  • The component error model means 122 stores a set of component error model specifying different component fault and conditional events and their logic relations. The axioms defined in the component error models play the role as fault tree decomposition rules.
  • The fault tree analysis (FTA) means 130 decomposes events from the aforementioned top events in terms of the aforementioned input system configurations and fault tree decomposition rules. That is, the fault tree analysis (FTA) means 130 analyzes the fault trees.
  • Next, an entire operation of this implementation mode will be explained in details by referring to flowcharts of FIG. 1 and FIG. 2.
  • Firstly, the system configuration is input by the aforementioned system configuration input means 110 (Step A1).
  • The user inputs (selects) a top fault event of the system to be analyzed (Step A2).
  • The top event is decomposed into some sub events by the fault tree analysis (FTA) means 130 in terms of some decomposition rule defined in the component error model means 122 (Step A3).
  • Redo the decomposition (Step A3) for the sub events until there is no decomposition rule available for the decomposed sub events, i.e., they become basic events which are not further decomposable.
  • Finally the generated fault tree (comprising the basic events) is output.
  • Next, an effect of this implementation mode will be explained.
  • This implementation mode includes repeated decomposition of events in terms of the decomposition rules defined in the component error model means 122, and thus the fault trees of the input top events can be automatically generated.
  • Next, the second implementation mode of the present invention will be explained in details by referring to the accompanied drawings.
  • Referring to FIG. 3, the second implementation mode of the present invention is an extension of the first implementation mode, in which the aforementioned system model library means 120 further includes a MCS calculation means 123 that stores a set of calculation rules used for the calculation of MCS of the fault trees. Correspondingly, the fault tree analysis (FTA) means 130 of the second implementation mode is also used for the calculation of MCS in addition to the decomposition of events as mentioned in the first implementation mode.
  • Next, an entire operation of this implementation mode will be explained in details by referring to flowcharts of FIG. 3 and FIG. 4.
  • The steps B1 to B3 are the same as the steps A1 to A3 of the first implementation mode, respectively. After decomposition of the top event, the sub events are then transformed into a Disjunctive Normal Form (DNF) in which the redundant conjunctions of events are also removed with the calculation rules defined in the MCS calculation means 123 (Step B4). For any event of the DNF, redo Step B3 and B4 until it becomes a basic event (i.e., indecomposable). Finally, when all the events become basic events, the final DNF is output as the MCS of the fault tree.
  • Next, an effect of the second implementation mode will be explained.
  • This implementation mode includes repeated decomposition of events and calculation of MCS, which can remove redundant nodes of the fault tree in a timely fashion, and thus the MCS of the fault tree could be calculated in an efficient way. However, since the calculation of MCS is carried out after each decomposition of event, the complete original fault tree without any calculation of MCS cannot be outputted in this implementation mode.
  • Next, the third implementation mode of the present invention will be explained in details by referring to the accompanied drawings.
  • Referring to FIG. 3, the third implementation mode of the present invention includes the means of the second implementation mode; however, the difference with the second implementation mode is that the third implementation mode consists of a different processing flow in terms of the event decomposition and MCS calculation steps mentioned below.
  • Next, an entire operation of this implementation mode will be explained in details by referring to flowcharts of FIG. 3 and FIG. 5.
  • This implementation mode also includes decomposition of events (Step C3) and calculation of MCS (Step C4), but the reduction is carried out only once after all the events become basic events (indecomposable) through repeated decomposition. Therefore, the complete original fault tree without any reduction and the minimal cut sets of the fault tree could both be output (Step C5).
  • Compared with the second implementation mode, the third implementation mode may spend more time for the calculation of MCS since no timely reduction has been carried out after each decomposition. However, the benefit of the third implementation mode is that the complete decomposition information is kept, and thus the original fault tree without any reduction can be output.
  • The implementation mode of the present invention described above has the following effect.
  • The first effect is that, given a configuration of a system, and a top undesired event of the system, the fault tree of the top event as well as the minimal cut sets of the fault tree can be automatically generated. The reason is that the input system configuration follows the definitions of system architecture models, and thus the fault tree and MCS can be developed and calculated in terms of the fault tree decomposition and MCS calculation rules defined in the system model library means, respectively.
  • The second effect is that the functional and sequential dependencies between components can be modeled with standard static logic gates rather than traditional dynamic gates. The reason is that by classifying internal and external fault events of a component, the functional dependency between different components can be represented with standard OR-gate; and by introducing extra dependent conditional event, the sequential dependency between component fault events can be handled with standard AND-gate.
    • EXAMPLE 1
  • Next, an operation of the present invention will be explained by using specific examples.
  • One high dependable network configuration is shown in FIG. 6. Hereinafter, a configuration of the system will be explained.
  • The system consists of two servers, s1 and s2, and s1 is the primary (active) one, while s2 is a spare to be activated when s1 fails.
  • Each server has two network cards, and respective network cards are cards of c11 (primary) and c12 (spare) of the primary s1, and cards of c21 (primary) and c22 (spare) of the stand-by s2.
  • There are two hubs h1 and h2, and two hubs are connected with the network cards c11, c12, c21 and c22 with wired cables b11 (between c11 and h1), b12 (between c12 and h2), b21 (between c21 and h1), and b22 (between c22 and h2).
  • An example system architecture model denoted in a UML form is presented in FIG. 7.
  • This system architecture models are supposed to be saved in the system architecture model means 121, and they can be represented in different forms for one implementation mode. The UML graphical form of FIG. 7 is just one of the candidates for readability. Some annotations of FIG. 7 are as follows.
  • A component could be a composite component, hardware, or software. A hardware component could be a bus, memory, processor, or device, and it could be served as a necessary or spare component. A primary component is a necessary component which has at least one spare component. A composite hardware (composite HW) is both a composite component and a hardware component.
  • A composite hardware consists of one or several (sub) hardware components, and generally speaking, its functionality depends on that all of its necessary sub components work well, i.e., not down (the definition of the fault event down will be discussed later in FIG. 9). Therefore, as shown in FIG. 7, the relation “depAll” actually represents a kind of vertical functional dependency between composite and sub hardware components, and it is a sub relation of the physical composition relation “consists”.
  • A hardware component may connect to zero or several buses, and generally speaking, it requires any of the (connected) buses to be accessible, not disabled. Therefore, as shown in FIG. 7, the relation “reqAny” actually represents a kind of horizontal functional dependency between hardware and buses, and it is a sub relation of the physical connection relation “connects”.
  • A primary (hardware) may have one or several spares, and a spare may support one or several primaries at the same time. Note that however, a spare can only replaces at most one primary (i.e., the first failed primary) at any time. The relation of replaces can be used to represent sequential fault events of two primaries which are supported by the same one spare. For instance, assume that there are two primary components, P1 and P2 which share the same one spare S, and a top event is defined as that P2 fails before the failure of P1 (which means that when P1 fails, the system consisting of P1 and S will fail since the spare S cannot be activated for P1). By introducing the conditional event replaces (S, P2), the above sequential dependency between the faults of P1 and P2 can be denoted by a standard static AND gate rather than a traditional PAND gate as shown in FIG. 13.
  • Moreover, FIG. 8 presents an example formal architecture model of network servers written with Maude, a formal specification and programming language. Some annotations of FIG. 8 are as follows (the line numbers are added for readability).
  • The matters described in lines 4 to 9 are data type (sort) and sub type definitions. For instance, a server is a composite hardware component. Additionally, the sub type relation is denoted by the symbol “<”.
  • The matter described in line 10 is the definition of a predicate, “existNWCard”, denoting that whether there exists a network card in a set of hardware components or not.
  • The matter described in line 11 is an equation (axiom) stating the property of that any network server must consist of some network cards. Note that “consists” is a function defined from a composite hardware component to a set of its sub hardware components as discussed in FIG. 7.
  • An example component error model written with Maude is presented in FIG. 9, which is supposed to be stored in the aforementioned component error model means 122. The equations defined in FIG. 9 play the role as decomposition rules for the fault tree development. Some annotations of FIG. 9 are as follows.
  • The matters described in lines 2 to 5 define four kinds of component fault events.
  • “failed” described in line 2 is the (primary) internal failure of a component, such as broken.
  • “disabled” described in line 3 is the (secondary) external fault of a component which is typically caused by the faults of other functional depended components, for instance, a memory may be disabled by a bus since the memory requires the bus for accessible.
  • “functionless” described in line 4 represents the union of the internal and external faults of a component.
  • “down” described in line 5 is typically used to denote that a primary component is functionless and none of its spares has been activated.
  • In lines 6 to 8, variable declarations for subsequent equations are described.
  • In lines 9 to 10, equations defining the semantics of functionless, i.e., equations defining that a composite component is functionless if and only if any of its depended sub necessary components is down (provided an assumption is made that any composite component must connect to other adjacent component through some of its subcomponents), and a non-composite component is functionless if and only if itself is failed or it is disabled are described. These two axioms represent the vertical and horizontal functional dependencies, respectively.
  • In line 11, an equation defining the semantics of disabled, i.e., an equation defining that a component is disabled if and only if all of its required buses become functionless is described. Additionally, since bus connections are transitive and could be iterative, the case splitting of bus and non-bus components as well as the second parameter of auxiliary function “$allFunctionless” are used to remove cyclic dependencies.
  • In lines 12 to 15, equations defining the semantics of down are described, that is, it is described to define that a primary component is down if and only if itself is functionless and none of its spares has been activated, and the down of a non-primary component is defined as equal to its functionless for convenience. The reason for a spare not activated for a primary component could be that the spare is functionless or it is activated by some other supported primary component before. Finally, the activation of spare for a primary component equals to that the primary is functionless and the spare replaces the primary (a conditional event).
  • As for the MCS calculation means 123, some example rules are presented in FIG. 10. Some annotations are as follows.
  • In lines 1 to 4, variable declarations for subsequent equations are described. Note that the sort FaultEvent is a subsort of Bool.
  • In line 5, an equation for transforming a Boolean formula into a DNF is described.
  • In line 6, an equation for removing unnecessary conditional event replaces in the final MCS is described. The meaning of this equation is that suppose there are two primary components share the same one spare, and if there are two conjunctions stating that both of the two primary component are functionless, and the spare replaces the first and second primary component in the two conjunctions, respectively, then these two conjunctions could be combined into one conjunction consisting of only the two primary components.
  • In lines 7 to 9, equations for removing redundant cut sets (conjunctions) to get the minimal cut sets of the fault tree are described.
  • Based on the graphical representation of the example network configuration as shown in FIG. 6 and the example system architecture models as shown in FIGS. 7 and 8, we assume that an input of the logic representation of the example network configuration is denoted in a form such as shown in FIG. 11 (corresponding to Step A1 of FIG. 2). Some annotations are as follows.
  • For clarity, we omitted the formal specification for the physical connections between components, and only functional relations between components are presented. The functional relations could be derived from the physical connections for simplification, provided that certain rules have been added into the aforementioned system architecture model means 121. For instance, if an assumption is made that a composite component will depend on all of its sub necessary components, provided that engineers will not introduce useless necessary sub components into the composite component by mistakes or other reasons, then the functional relation “depAll” could be derived from the physical connection “consists” of the composite component in a straightforward way by removing the spare components in the “consists”.
  • The logic representation of the example configuration consists of two main parts. One is the constant definitions of components, i.e., names and types of component instances which are denoted in lines 4 to 11. For instance, the constant definition of line 4 states that “sys” is an instance of composite component i.e., the example network system. The second is the relations between these components, which are denoted by the equations in lines 12 to 26. For instance, the equation of line 12 states that the example network system, “sys”, depends on the primary server s1.
  • Based on the input system configuration shown in FIG. 11, assume that the user select that top event to be analyzed as that the system, “sys”, is down, namely “down(sys)” (corresponding to Step A2 of FIG. 2).
  • The first decomposition of the top event gets one sub event of “functionless(sys)” by applying the decomposition rule shown in line 13 of FIG. 9, since the instance “sys” is not a primary component, i.e. the example network system does not have any spare (corresponding to Step A3 of FIG. 2). The sub event could be further decomposed by applying the decomposition rule shown in line 9 of FIG. 9, and get a sub event “anyDown(s1)” based on the configuration equations shown in lines 4 and 11 of FIG. 11, i.e. “sys” is a composite hardware component and it depends on the server s1 (corresponding to the repeated execution of Step A3 of FIG. 2). Redo the decomposition step repeatedly and assume that the calculation of MCS is also carried out in a way such as shown in Step B4 of FIG. 4 or Step C4 of FIG. 5, the final MCS of the fault tree with the top event is presented in FIG. 12 (corresponding to Steps B5 and C5 of FIGS. 4 and 5, respectively).
  • Additionally, while each unit was configured with hardware in the above-described implementation modes and example, it may be configured with a program and a CPU that perform an operation similar to that of each unit.
  • Above, although the present invention has been particularly described with reference to the preferred implementation modes and the examples, it should be readily apparent to those of ordinary skill in the art that the present invention is not always limited to the above-mentioned embodiment and examples, and changes and modifications in the form and details may be made without departing from the spirit and scope of the invention.
  • Further, the content of the above-mentioned exemplary embodiments can be expressed as follows.
  • (Supplementary note 1) A system for static fault tree analysis from system models comprising:
  • a system configuration input means that inputs system configurations and top events of the systems to be analyzed;
  • a system model library means that stores a set of system architecture models and component error models; and
  • a fault tree analysis means that analyzes fault trees of the system from said top events in terms of decomposition rules defined in said component error models:
  • wherein said system configurations and top events are instances of the system architecture models and the fault events of the component error models stored in said system model library means, respectively;
  • wherein said system architecture models delimit classification of and definitions of physical and semantic relations between different components; and
  • wherein said component error models define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis.
  • (Supplementary note 2) The fault tree analysis system according to Supplementary note 1, wherein said system model library means further comprising a MCS calculation means that stores MCS calculation rules for calculating minimal cut sets of the fault trees, removes redundant cut sets of the events based on said MCS calculation rules, and calculates the minimal cut sets.
  • (Supplementary note 3) A method for static fault tree analysis from system models comprising:
  • storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis;
  • selecting top events of the system to be analyzed; and
  • analyzing fault trees of the system from said top events in terms of decomposition rules defined in said component error models.
  • (Supplementary note 4) The fault tree analysis method according to Supplementary note 3 comprising storing MCS calculation rules for calculating minimal cut sets of the fault trees, removing redundant cut sets of the events based on said MCS calculation rules, and calculating the minimal cut sets.
  • (Supplementary note 5) A program for causing a computer to analyze static fault trees from system models, said program causing the computer to execute:
  • a process of storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis; and
  • a process of analyzing fault trees of the system from the selected top events in terms of decomposition rules defined in said component error models.
  • (Supplementary note 6) The program according to Supplementary note 5, said program causing the computer to execute a process of removing redundant cut sets of the events based on MCS calculation rules for calculating minimal cut sets of the fault trees, and calculating the minimal cut sets.
  • This application is based upon and claims the benefit of priority from Japanese patent application No. 2010-117945, filed on May 24, 2010, the disclosure of which is incorporated herein in its entirety by reference.
    • INDUSTRIAL APPLICABILITY
  • The present invention can be used to analyze system reliability with fault trees from system configurations automatically, with the implementation of the aforementioned system model library means defining system architecture models, component error models, and MCS calculation rules, and the aforementioned fault tree analysis (FTA) means for generating fault trees and calculating MCS in terms of the decomposition and reduction rules defined in the aforementioned system model library means, respectively.
    • REFERENCE SIGNS LIST
  • 110 system configuration input means
  • 120 system model library means
  • 130 fault tree analysis (FTA) means
  • 121 system architecture model means
  • 122 component error model means
  • 123 MCS calculation means

Claims (6)

1. A system for static fault tree analysis from system models comprising:
a system configuration input unit that inputs system configurations and top events of the systems to be analyzed;
a system model library that stores a set of system architecture models and component error models; and
a fault tree analyzer that analyzes fault trees of the system from said top events in terms of decomposition rules defined in said component error models:
wherein said system configurations and top events are instances of the system architecture models and the fault events of the component error models stored in said system model library, respectively;
wherein said system architecture models delimit classification of and definitions of physical and semantic relations between different components; and
wherein said component error models define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis.
2. The fault tree analysis system according to claim 1, wherein said system model library further comprising a MCS calculator that stores MCS calculation rules for calculating minimal cut sets of the fault trees, removes redundant cut sets of the events based on said MCS calculation rules, and calculates the minimal cut sets.
3. A method for static fault tree analysis from system models comprising:
storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis;
selecting top events of the system to be analyzed; and
analyzing fault trees of the system from said top events in terms of decomposition rules defined in said component error models.
4. The fault tree analysis method according to claim 3 comprising storing MCS calculation rules for calculating minimal cut sets of the fault trees, removing redundant cut sets of the events based on said MCS calculation rules, and calculating the minimal cut sets.
5. A non-transitory computer readable storage medium storing a program for causing a computer to analyze static fault trees from system models, said program causing the computer to execute:
a process of storing, in a system to be analyzed, a set of system architecture models that delimit classification of and definitions of physical and semantic relations between different components, and component error models that define different fault events of components and their Boolean logic relationships called decomposition rules which cover both functional and sequential dependencies for fault tree analysis; and
a process of analyzing fault trees of the system from the selected top events in terms of decomposition rules defined in said component error models.
6. The non-transitory computer readable storage medium storing a program according to claim 5, said program causing the computer to execute a process of removing redundant cut sets of the events based on MCS calculation rules for calculating minimal cut sets of the fault trees, and calculating the minimal cut sets.
US13/699,359 2010-05-24 2011-05-23 Static fault tree analysis system and method from system models Abandoned US20130073271A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2010-117945 2010-05-24
JP2010117945 2010-05-24
PCT/JP2011/061738 WO2011148891A1 (en) 2010-05-24 2011-05-23 Method and system for analyzing static fault tree from system model

Publications (1)

Publication Number Publication Date
US20130073271A1 true US20130073271A1 (en) 2013-03-21

Family

ID=45003881

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/699,359 Abandoned US20130073271A1 (en) 2010-05-24 2011-05-23 Static fault tree analysis system and method from system models

Country Status (3)

Country Link
US (1) US20130073271A1 (en)
JP (1) JPWO2011148891A1 (en)
WO (1) WO2011148891A1 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014184823A1 (en) * 2013-05-15 2014-11-20 Nec Corporation System, method, and program for identifying persistent components and persistent systems
US20140359366A1 (en) * 2013-05-28 2014-12-04 Jean-Pascal Schwinn Method and Engineering Apparatus for Performing a Three-Dimensional Analysis of a Technical System
CN105138428A (en) * 2015-08-22 2015-12-09 西安电子科技大学 Failure recovery method based on precursor dependence
US20160170868A1 (en) * 2014-12-16 2016-06-16 Siemens Aktiengesellschaft Method and apparatus for the automated testing of a subsystem of a safety critical system
US20160266952A1 (en) * 2015-03-10 2016-09-15 Kai Höfig Automated Qualification of a Safety Critical System
CN107037802A (en) * 2016-10-28 2017-08-11 华中科技大学 A kind of method for detecting abnormality of Process Control System protecting information safety
TWI597682B (en) * 2016-04-08 2017-09-01 Mitsubishi Electric Corp Information processing device, information processing method and information processing program product
EP3260940A1 (en) * 2016-06-21 2017-12-27 Siemens Aktiengesellschaft Method and apparatus for automated hazard detection
US20180074484A1 (en) * 2015-04-28 2018-03-15 Siemens Aktiengesellschaft Method and apparatus for generating a fault tree for a failure mode of a complex system
US10061670B2 (en) * 2015-12-28 2018-08-28 Siemens Aktiengesellschaft Method and apparatus for automatically generating a component fault tree of a safety-critical system
US10558766B2 (en) * 2015-12-31 2020-02-11 Palo Alto Research Center Incorporated Method for Modelica-based system fault analysis at the design stage
US10558513B2 (en) * 2015-01-30 2020-02-11 Hitachi Power Solutions Co., Ltd. System management apparatus and system management method
CN111124879A (en) * 2019-10-31 2020-05-08 中国航天系统科学与工程研究院 Fault tree-based to-be-verified attribute extraction method, medium and equipment
CN112580189A (en) * 2020-11-19 2021-03-30 中海石油(中国)有限公司天津分公司 Rapid algorithm for importance of tree-bottom event structure of system fault
US11086303B2 (en) * 2016-07-27 2021-08-10 Skyworks Solutions, Inc. Geometry-based scheduling of fabrication with high volume and high mixture
US11347919B2 (en) * 2018-12-18 2022-05-31 Siemens Industry Software Nv Computer-implemented method for generating a mixed-layer fault tree of a multi-component system combining different layers of abstraction
WO2024227347A1 (en) * 2023-05-04 2024-11-07 中国科学院深圳先进技术研究院 Safety analysis method and apparatus for automotive-grade chip, and device and storage medium

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5601468B2 (en) * 2010-11-26 2014-10-08 日本電気株式会社 Method and system for efficiently evaluating the minimum cut set of fault trees
US8909991B2 (en) 2011-02-22 2014-12-09 Nec Corporation Fault tree system reliability analysis system, fault tree system reliability analysis method, and program therefor
JPWO2013085025A1 (en) * 2011-12-09 2015-04-27 日本電気株式会社 Minimum cut set evaluation system, minimum cut set calculation method and program
CN102707712B (en) * 2012-06-06 2014-06-18 广州山锋测控技术有限公司 Electronic equipment fault diagnosis method and system
WO2014043667A1 (en) * 2012-09-17 2014-03-20 Siemens Corporation Logic based approach for system behavior diagnosis
CN103729289B (en) * 2013-11-29 2016-04-06 北京广利核系统工程有限公司 A kind ofly utilize the graphic method indicating HPD logic reliability
CN106094783B (en) * 2016-05-30 2018-07-17 重庆大学 A kind of liquid hydrogen loading system fault diagnosis and Realtime Alerts method
EP3416013B1 (en) * 2017-06-12 2019-07-24 Siemens Aktiengesellschaft Safety assurance using fault trees for identifying dormant system failure states
CN109491812B (en) * 2018-10-11 2022-01-04 西北工业大学 System local reliability sensitivity analysis method based on interval model
CN112069649B (en) * 2020-07-21 2023-08-18 武汉交通职业学院 Electric automobile EPS system reliability assessment method based on MDA
CN114118790B (en) * 2021-11-25 2024-06-21 中电科航空电子有限公司 System and method for analyzing safety of civil communication navigation system based on SysML

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0784995A (en) * 1993-09-17 1995-03-31 Hitachi Ltd Failure diagnosis support system
JP3445517B2 (en) * 1999-02-16 2003-09-08 株式会社東芝 System reliability design apparatus and method, and recording medium recording system reliability design software

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Bozzano, Marco, et al. "ESACS: an integrated methodology for design and safety analysis of complex systems." Proc. ESREL. 2003. *
Kaiser, Bernhard, Peter Liggesmeyer, and Oliver Mäckel. "A new component concept for fault trees." Proceedings of the 8th Australian workshop on Safety critical systems and software-Volume 33. Australian Computer Society, Inc., 2003. *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014184823A1 (en) * 2013-05-15 2014-11-20 Nec Corporation System, method, and program for identifying persistent components and persistent systems
US20140359366A1 (en) * 2013-05-28 2014-12-04 Jean-Pascal Schwinn Method and Engineering Apparatus for Performing a Three-Dimensional Analysis of a Technical System
US20160170868A1 (en) * 2014-12-16 2016-06-16 Siemens Aktiengesellschaft Method and apparatus for the automated testing of a subsystem of a safety critical system
US10558513B2 (en) * 2015-01-30 2020-02-11 Hitachi Power Solutions Co., Ltd. System management apparatus and system management method
US10241852B2 (en) * 2015-03-10 2019-03-26 Siemens Aktiengesellschaft Automated qualification of a safety critical system
US20160266952A1 (en) * 2015-03-10 2016-09-15 Kai Höfig Automated Qualification of a Safety Critical System
US10877471B2 (en) * 2015-04-28 2020-12-29 Siemens Aktiengesellschaft Method and apparatus for generating a fault tree for a failure mode of a complex system
US20180074484A1 (en) * 2015-04-28 2018-03-15 Siemens Aktiengesellschaft Method and apparatus for generating a fault tree for a failure mode of a complex system
CN105138428A (en) * 2015-08-22 2015-12-09 西安电子科技大学 Failure recovery method based on precursor dependence
US10061670B2 (en) * 2015-12-28 2018-08-28 Siemens Aktiengesellschaft Method and apparatus for automatically generating a component fault tree of a safety-critical system
US10558766B2 (en) * 2015-12-31 2020-02-11 Palo Alto Research Center Incorporated Method for Modelica-based system fault analysis at the design stage
TWI597682B (en) * 2016-04-08 2017-09-01 Mitsubishi Electric Corp Information processing device, information processing method and information processing program product
US11079749B2 (en) 2016-06-21 2021-08-03 Siemens Aktiengesellschaft Method and apparatus for automated hazard detection
EP3260940A1 (en) * 2016-06-21 2017-12-27 Siemens Aktiengesellschaft Method and apparatus for automated hazard detection
US11086303B2 (en) * 2016-07-27 2021-08-10 Skyworks Solutions, Inc. Geometry-based scheduling of fabrication with high volume and high mixture
CN107037802A (en) * 2016-10-28 2017-08-11 华中科技大学 A kind of method for detecting abnormality of Process Control System protecting information safety
US11347919B2 (en) * 2018-12-18 2022-05-31 Siemens Industry Software Nv Computer-implemented method for generating a mixed-layer fault tree of a multi-component system combining different layers of abstraction
CN111124879A (en) * 2019-10-31 2020-05-08 中国航天系统科学与工程研究院 Fault tree-based to-be-verified attribute extraction method, medium and equipment
CN112580189A (en) * 2020-11-19 2021-03-30 中海石油(中国)有限公司天津分公司 Rapid algorithm for importance of tree-bottom event structure of system fault
WO2024227347A1 (en) * 2023-05-04 2024-11-07 中国科学院深圳先进技术研究院 Safety analysis method and apparatus for automotive-grade chip, and device and storage medium

Also Published As

Publication number Publication date
JPWO2011148891A1 (en) 2013-07-25
WO2011148891A1 (en) 2011-12-01

Similar Documents

Publication Publication Date Title
US20130073271A1 (en) Static fault tree analysis system and method from system models
EP2876519B1 (en) Safety analysis of a complex system using component-oriented fault trees
Stewart et al. AADL-based safety analysis using formal methods applied to aircraft digital systems
Kabir et al. A model-based extension to HiP-HOPS for dynamic fault propagation studies
Xiang et al. Automatic synthesis of static fault trees from system models
Ruijters et al. FFORT: a benchmark suite for fault tree analysis
Bozzano et al. Formal Methods for Aerospace Systems: Achievements and Challenges
Hu et al. Event-based safety and reliability analysis integration in model-based space mission design
US11586976B2 (en) Method and apparatus for creating tests for execution in a storage environment
Rugina et al. An architecture-based dependability modeling framework using AADL
Stewart et al. Safety annex for the architecture analysis and design language
Yamamoto et al. Aspect analysis towards archimate diagrams
Tiwari et al. Analysis of use case requirements using sfta and sfmea techniques
Jetley et al. Applying software engineering practices for development of industrial automation applications
CN114816431B (en) A secure and reliable semantic extension and modeling method for SysML language
US9152385B2 (en) Systems and methods for generating high-quality formal executable software feature requirements
US9021418B2 (en) Systems and/or methods for creation of metamodels
Gokyer et al. Non-functional requirements to architectural concerns: ML and NLP at crossroads
Grunske et al. An automated dependability analysis method for COTS-based systems
Hoffmann SysML-based systems engineering using a model-driven development approach
Yamada Generic software for spacecraft testing and operations based on a spacecraft model
Souri Formal specification and verification of a data replication approach in distributed systems
Zhou et al. A framework for early robustness assessment.
Fernández Briones et al. Application of safety analyses in model driven development
Penttinen et al. Advanced fault tree analysis for improved quality and risk assessment

Legal Events

Date Code Title Description
AS Assignment

Owner name: NEC CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:XIANG, JIANWEN;REEL/FRAME:029352/0244

Effective date: 20121112

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION